Policy for Tracking Last Authentication
Time

When set, pwdKeepLastAuthTime causes Directory Server to
track the time of the last successful bind every time that a user authenticates.
The time is recorded on the pwdLastAuthTime(5dsat) operational attribute
of the user's entry.

Because this behavior adds an update for each successful bind operation,
the pwdKeepLastAuthTime feature is not activated by default.
You must explicitly turn the feature on to use it in your deployment.